exploring the capabilities and economics of cybercrime
TRANSCRIPT
Exploring the Capabilities and Economics of Cybercrime
Recent Trends and Highlights
JIM WALTERSENIOR RESEARCH SCIENTIST| CYLANCE
INTRODUCTIONS
JIM WALTER Sr. Research Scientist w/ Cylance
Previously ran Threat Intelligence and Advanced Threat Research efforts at McAfee / Intel Security (1998-2015)
OVERVIEW
Current Attacker Community / Climate
Current Campaign and TTP Highlights
Mechanics
Mitigations & Countermeasures
Conclusions
StatisticsCybercrime
Average Annualized Cost = 9.5 Million
21% Increase in total cost over 2015
Global cost of Cybercrime in FY2016 = ~ 460 Billion
“Malware” dominates attack ‘types’ in 2016
Information loss/theft is now the most costly consequence of cybercrime
StatisticsCybercrime
CryptoWall Alone - ~325 Million
6 Trillion by 2021??*
Cybercrime has become the 2nd most reported economic crime**
Statistics
Statistics
Statistics
Current Community / ClimateSurface Level / Skiddies / unskilled
Mid-level order-followers / unskilled / compensated by higher-ups to install and manage infrastructure and infected nodes (ex: Nigerian Pony Loader networks)
Skilled –to-highly-skilled
Exclusive for-hire operations (ex: Sality & Gazavat)
Nation States / Gov-backed
Long-term and ultra-stealth
Current Community / ClimateRansomware & For-Hire Offerings
Turn-key systems / All Inclusive
Current Community / ClimateRansomware & For-Hire Offerings
Current Community / ClimateRansomware & For-Hire Offerings
Current Community / ClimateRansomware & For-Hire Offerings
Current Community / ClimateRansomware & For-Hire Offerings
Current Community / ClimateRansomware & For-Hire Offerings
Current Community / Climate
Current Community / Climate
Current Community / ClimateRansomware & For-Hire Offerings
Current Community / ClimateFull Service Carding
Campaigns and TTP HighlightsNigerian BEC ‘gangs’
PassCV Group
CozyBear / APT29 (PowerDuke, etc.)
MechanicsNigerian BEC ‘gangs’
Spearphishing, BEC, Pony Loader, Hawkeye, Citadel, iSpy Premium
PassCV Group
Digitally Signed malware
Targets gaming companies
ZxShell, Gh0st RAT, Netwire (COTS)
CozyBear / APT29 (PowerDuke, etc.)
Mechanics CozyBear / APT29 (PowerDuke, etc.)
PowerShell-based malware tools
Phish / SpearPhish
Malicious Macros in Office documents
Spikerush malware encrypted in PNG image files
Mitigations and Countermeasures Take Note . .
A majority of malware is single-use or target/host specific.
A majority of malware does not end up in-the-wild or on VT or similar sharing sites/services.
Mitigations and Countermeasures In 60% Of Cases, Attackers Are Able To Compromise An Organization Within Minutes.
99.9% Of The Exploited Vulnerabilities Were Compromised More Than A Year After The CVE Was Published
95% Of Malware Types Showed Up For Less Than A Month, And Four Out Of Five Didn’t Last Beyond A Week.
70–90% Of Malware Samples Are Unique To An Organization.
Mitigations and CountermeasuresJust under 1500 ‘malware-related’ breaches in 2016 (opposed to physical theft, miscellaneous hacking, social engineering and more)
“Analysis of one of our larger datasets showed that 99% of malware hashes are seen for only 58 seconds or less. In fact, most malware was seen only once. This reflects how quickly hackers are modifying their code to avoid detection.”
Mitigations and CountermeasuresWhat to do?
Signatures and traditional methods will never keep up.
Learn from the past and smarten your countermeasures.
AI /or Machine Learning lead to true prevention and application of updated methodology to endpoint protection.
Supporting
SAMSA RANSOMWARE TARGETING HOSPITALS / MEDICAL FACILITIES
Payload = Samsa / Samsam Ransomware
‘Pay up to restore functionality’
Targeting Java-based webservers (JBOSS)
Jexboss (python-based JBOSS exploit toolkit)
reGeorg – tunnel RDP via HTTP
csvde, psexec, sdelete – legit tools used to move and function internally
SAMSA RANSOMWARE
SAMSA RANSOMWARE
SAMSA RANSOMWARE
SAMSA RANSOMWARE
SAMSA RANSOMWARE
SAMSA RANSOMWARE